Background

Mozilla’s first response to the threat of this type of spoofing was to disable IDN support and instead display the more verbose form of IDN URLs—punycode. (Punycode bears little resemblance to the intended appearance of an IDN, removing the risk of spoofing.)

Later, it was decided that some IDN addresses would be shown as intended—but only if the domain’s registrar had a public anti-spoofing policy. (Another preference keeps track of which top-level domains are displayed as intended.)

About the same time, developers realized that certain Unicode characters were too dangerous to ever be shown inside an IDN domain name. Initially, these just included characters that looked similar to a forward slash (U+2044 and U+2215). However, eventualy the list grew to include spaces (U+2006, U+2007), dots (U+06D4), fractions (U+2154), and other various characters. As a result of this realization, a blacklist of characters was created: if any IDN contained any of the specified characters, it would instead be shown in its punycode form.

As of 2009-02-24, the complete list of (107) blacklisted characters is as follows. (Depending on your browser, platform, and installed fonts, the example characters may not display as intended. Some of them aren’t intended for display in the normal sense of the word.)